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Abstract Vehicular networks are used to coordinate actions among vehicles in traffic 
by the use of wireless transceivers (pairs of transmitters and receivers). Unfortunately, 
the wireless communication among vehicles is vulnerable to security threats that may 
lead to very serious safety hazards. In this work, we propose a viable solution for cop¬ 
ing with Man-in-the-Middle attacks. Conventionally, Public Key Infrastructure (PKI) 
is utilized for a secure communication with the pre-certified public key. However, a 
secure vehicle-to-vehicle communication requires additional means of verification in 
order to avoid impersonation attacks. To the best of our knowledge, this is the first 
work that proposes to certify both the public key and out-of-band sense-able static 
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attributes to enable mutual authentication of the communicating vehicles. Vehicle 
owners are bound to preprocess (periodically) a certificate for both a public key and 
a list of fixed unchangeable attributes of the vehicle. Furthermore, the proposed ap¬ 
proach is shown to be adaptable with regards to the existing authentication protocols. 
We illustrate the security verification of the proposed protocol using a detailed proof 
in Spi calculus. 

Keywords Man-in-the-Middle attack • security • vehicle networks 


1 Introduction 


Security is a major concern in a connected vehicular network. On one hand, the wire¬ 
less, ad-hoc, and mobile communication imply security threats, while on the other 
hand, require perfectly reliable communication, as errors have immediate hazardous 
implications fSO) . The Intelligent Transportation Systems (ITS) has been regulated as 
per the standard IEEE 1609 Dedicated Short Range Communication (DSRC) ||Tj and 
IEEE 802.1 Ip Wireless Access for Vehicular Environment (WAVE) | [M) . Also, the 
security configurations have been standardized as IEEE 1609.2 0 for the online 
security and ISO 26262 0 for the functional risk assessment during automotive 
life cycle. While vehicles move in a predictable road topology, maneuvering among 
the vehicles is somewhat unpredictable. Eor example, the vehicle ordering is changed 
dynamically along the road and over time. Identifying a vehicle is crucially important 
in the scope of establishing secure communication with passing by vehicles. In par¬ 
ticular, using public key infrastructure to establish secure sessions among the moving 
vehicles is not secure against Man-in-the-Middle (MitM) attacks. Therefore, we pro¬ 
pose to modify the conventional certificate structure and facilitate vehicle to vehicle 
authentication through certificate exchange. 


Applications of vehicular networks. Gaining on-road safety and efficient traffic 
management are two prime goals in the use of vehicular networks which is gradu¬ 
ally penetrating into the Internet of Things (loT) communication paradigm. A survey 
on trust management for lOT | |97) and the available candidate Internet Engineering 
Task Eorce (lETE) solutions across the network layers has been given in |49 ST) . 
Smart vehicles may exchange information concerning road scenario with each other 
to help manage the traffic and to address safety concerns p8) . Eor example, data 
sharing, remote resource access, payments on the go, a notification on the occurrence 
of an accident or a traffic jam ahead may assist the approaching vehicles to optimize 
their time and energy resources. In the very near future, vehicles will interact with 
several other vehicles to coordinate actions | |42) and to provide heterogenous media 
services pOTl . Recently, there have been a great deal of interest to integrate cloud ser¬ 
vices with the dynamic vehicular communication. Considering the scalability issues 
and rapid data exchange in vehicular networks i n |[90) authors have shown an inte¬ 
grated secure mobile cloud computing 1 20||21|93||94| on top of dynamically scattered 
cyber-physical vehicle networks. Evidently, these kind of ubiquitous services and 
real-time applications would definitely require an extended spectrum capacity along 
with the high-speed gigabit data transfer. Therefore, a great deal of research is being 
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Fig. 1 Attack scenario with the existing PKI. 


directed to materialize a new cellular networking paradigm termed as 5G |46 8^ , 
which would essentially realize the vision of next-generation ad-hoc networks. 

Several major projects Q, for example, Car2Car-Communication Consortium Q, 
Cartalk Q, Network on Wheels Q, Vehicle Infrastructure Integration |j^. Partners 
for Advanced Transportation Technology 0^ Secure Vehicular Communication |(8), 
E-safety Vehicle Intrusion Protected Applications Q were conducted in order to ini¬ 
tiate, develop and standardize the vehicle network operation. These projects were 
funded by national governments and accomplished by a joint venture of automobile 
companies, universities and research organizations. Currently, the vehicle communi¬ 
cation research is rapidly trending towards the security aspects GZlEZ)- Therefore, 
the focus in this paper is to provide secure wireless communication that is secure 
against any impersonation attacks by a third party. 


Problem statement. Public key infrastructure has a severe disadvantage when coping 
with MitM attacks not only in the scope of vehicle networks. In the common practice 
public keys are signed by the authorities and can be verified by the receiver. In the 
scope of vehicle (ad-hoc) networks, secure interaction among the peer vehicles should 
be established rapidly without any third party assistance. Thus, no interaction with 
the Certificate Authority (CA) during the session key exchange is feasible and an 
impersonation attack among the moving vehicles is possible. The following scenario 
demonstrates a typical MitM attack as shown in Figure [T] 

The scenario starts when a vehicle vi tries to securely communicate with V 2 and 
requests for the public key of V 2 - Vehicle V 3 pretends to be V 2 and answers vi with 
V 3 public key instead of V 2 ■ Then V 3 concurrently asks V 2 for its public key. Vehicle 
vi is fooled to establish a private key with V 3 instead of V 2 , and V 2 is fooled to estab¬ 
lish a private key with V 3 instead of Vi. Vehicle vg conveys messages from vi to V 2 
and back, decrypting and re-encrypting with the appropriate established keys. In this 
way, V 3 can find the appropriate moment to change information and cause hazardous 
actions to vi and V 2 - 


Our contribution. Our work demonstrates the utility of out-of-band identification 116 


[33| using a coupled public key and fixed verifiable attributes. The certified attributes 
may be visually verified by a camera, microphone, wireless transceiver fingerprint 
identification (31), and other sensing devices. We ensure the countermeasures against 
the MitM attack in two sequential and explicit rounds of communication. 
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- Twofold authentication: We propose a solution that employs a fixed attribute 
based certification mechanism to correctly identify the neighboring vehicles. Vi¬ 
sual identification m implies more robust authentication of the transmission 
source in comparison with the signal noise and/or transceiver fingerprint verifi¬ 
cation. Our solution relies on the verification that the public key was originated 
by the CA, and that the public key belongs to the vehicle with the coupled signed 
attributes. The periodic licensing routine can serve as an important ingredient of 
our protocol. 

- Periodic certificate restore: Our method has the benefit of interacting with the 
CA only during preprocessing stages, rather than during the real-time secret ses¬ 
sion key establishment procedure. Given such certified public key and vehicle 
attributes, the protocol establishes a secret session key with neighboring authen¬ 
ticated vehicles using only two communication rounds. 

- Adaptation: The proposed approach can be integrated with the existing authenti¬ 
cation protocols without beaching the respective security claims in these existing 
protocols. Therefore, the security claims are strengthened while adapting the pro¬ 
posed approach with the proven authentication protocols. 

- Verification: The proposed approach satisfies the secrecy and authentication prop¬ 
erties. These security claims have been verified using an extended security anal¬ 
ysis in Spi calculus. 


Related Work. In this section, we illustrate the related work, concerning vehicle net¬ 
work threats, state of the art for mitigating MitM attacks. Then we describe existing 
entity authentication schemes, and in particular, the utility of out-of-band communi¬ 
cation for the authentication purposes. 

Vehicle networks threats. An autonomous wireless connection among vehicles im¬ 
poses serious security threats such as eavesdropping | [78), identity spoofing |29 77) , 
sybil attack | |64) , wormhole attack | |69) , replay attack |[9^, message content tamper¬ 
ing p8) , impersonatio n 1^ , denial of service attack (DoS) HD and Man-in-the- 
Middle attack | |50| . In |62) an anti-spoofing scheme based on Mutual Egress Filter¬ 
ing (MEF) using a compressed Access Control List (ACL) over border routers is 
presented. Furthermore, 122 102) presents a survey of security challenges in Cog¬ 
nitive Radio Networks (CRN) with respect to exogenous/jamming, intruding, greedy 
attackers and crucial routing metrics. 

Mitigating Man-in-the-Middle attacks. Global System for Mobile Communication 
(GSM) is one of the most popular standards in cellular network infrastructure. Unfor¬ 
tunately, it uses only one sided authentication between the mobile station and the cou¬ 
pled base station GO)- The Universal Mobile Telecommunication Standard (UMTS) 
improves over the security loopholes in GSM. It includes a mutual authentication and 
integrity protection mechanism but is still vulnerable to MitM attacks [ST) . 


MitM and DoS attack analysis for Session Initiation Protocol (SIP) is shown in 1301, 
using a triangle communication model between SIP user agent and server. This work 
presents an analysis on the attack possibility, but does not offer any solution to the 
problem in hand. The interconnection between 3G and wireless LAN is vulnerable 
to MitM attacks by influencing the gateway nodes ||104|. According to fSTj, mobile 
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hosts and the base station share a secret cryptographic function and mutually raises 
a challenge-response string, prior to employing the original Diffie-Hellman key ex¬ 
change scheme p2) . Thus, the mobile host replies with a cryptographic response and 
Subscriber Station Identifier (SSI) to a base station, but it does not verify any of the 
unchangeable attributes of the intended subscriber. This way a base station, capa¬ 
ble of verifying a unique SSI connection, may not confirm the authentic owner of 
the SSI connection. Furthermore, position-based routing schemes for vehicular net¬ 
works 163 ^ would play a crucial role in a reliable secure communication. It may 
further be extended to energy saving such as a delay tolerant routing approach for ve¬ 
hicle networks 1 103) that allows a delay bounded delivery by combining a carry-and- 
forward mechanism with the replication mechanism. Dynamic backpressure-based 
routing protocol for Delay Tolerant Networks (DTNs) is given in p5l|8^[89) . Ac¬ 
cordingly, routing decisions are made on a per-packet basis using queue logs, random 
walk and data packet scheduling as opposed to static end-to-end routes. Similarly, a 
stability based routing scheme to synergise noise ratio, distance and velocity into a 
routing decision is given in IZ3- A reliable multicast protocol for lossy wireless net¬ 
works using opportunistic routing with random linear network coding [ |60||6T]|95) and 
a genetic algorithm based approach is presented in ||101|. 


Entity authentication. There has been a great research activity in the scope of cryp¬ 
tographic solutions fn\ for the entity authentication. A security scheme for sensor 
networks, called TESLA has been proposed in | |73j . TESLA is based on delayed 
authentication with self-authenticating key chains. TESLA yields a time consuming 
authentication mechanism (as the messages are received on a timeline can be authen¬ 
ticated only after receiving the immediate next message over the same timeline). Al¬ 
though, chances are less, but a MitM can still intercept through weak hash collisions 
and fake delayed key. An improvement TESLA-h- has been suggested in p5) , as an 
adapted variation of delayed authentication. A combination of TESLA-h- and digi¬ 
tal signature provides Denial of Service (DoS) attack resilience and non-repudiation 
respectively. The drawback with this approach is that the message digest and cor¬ 
responding message (with self-authenticating key) are transmitted separately to the 
receiver. Thus, MitM may step in, as it does not follow the fixed attribute based ver¬ 
ification. Eurthermore, another scheme for anomaly-detection and attack trace back 
for encrypted protocol s and IP spoofing trace back is given in |I00| . 

Raya and Haubaux | |75||76| proposed that each vehicle contains a set of anonymous 
public/private key pairs, while these public keys have been certified by CA. The cer¬ 
tificates are short lived, and therefore, need to be confirmed with a Certificate Revo¬ 
cation List (CRL) before the use. The drawback with this approach is that roadside 
infrastructure is required to provide the most updated CRL. A MitM attack resistant 
key agreement technique for the peer to peer wireless network is suggested in p5| 
where the primary mutual authentication is done before the original Diffie-Hellman 
key exchange. This primary authentication step could be a secret digest comparison, 
e.g., through visual or verbal contact, distance bounding or integrity codes. However, 
a MitM can intercept because of the proximity awareness, visual and verbal signals, 
computed by the device and verified by the user; while in our case it is already certi¬ 
fied by the CA and then user verifies it again. Moreover, the authors in ||9^ presented 
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an incentive mechanism for peer-to-peer networks in order to encourage user cooper¬ 
ation as opposed to selfish behaviour and another Software Defined Network (SDN) 
security in | [98] . The secure communication scheme, in |j^ is an enhancement over 
the Raya and Haubaux scheme, in that a certified public key is exchanged and further 
used to set up a secret session key as well as a group key. Here, the attacker can pre¬ 
tend to be some other vehicle, by replaying the certificates and there currently exists 
no other means to verify that this vehicle is not the actual owner of the certificate. In 
addition | [43]|106) presents a secure (i.e. proactive secret sharing scheme) and privacy 
preserving (identity blinding) key management scheme resilient to time and location 
based mobile attacks proposed for the m-healthecare social networks 1 105). 


Out-of-band channel authentication. There have been great efforts to utilize various 
auxiliary out-of-band channels for entity authentication. The notion of pre-shared 
secret over a limited contact channel was first raised in 184) . 

The pre-authentication channel is a limited scope channel to share limited informa¬ 
tion but it inherits the same vulnerability that a wireless channel has. In this scheme, 
there may be cases when a vehicle authenticates the sender but is not able to verify 
the specific identity traits. In our scheme we do it in reverse, first the certified attribute 
verification over the wireless channel and then the static attribute verification over the 
out-of-band channel of communication. 

A method shown, in | 44|65| , suggests that a common movement pattern can help to 
mutually authenticate two individual wireless devices driven by a single user. In |8^, 
a pre-authentication phase is used to verify the identity, before the original public 
key is exchanged and confirmed over the insecure wireless channel. Another work, 
in presents a visual out-of-band channel. A device can display a two dimen¬ 
sional barcode that encodes the commitment data, hence, a camera equipped device 
can receive and confirm this commitment data with the available public key. Unfor¬ 
tunately the attacker can still capture and/or fabricate the visible commitment data, 
as it is not coupled with the public key. The approach in |j^ is based on acoustic 
signals, using audio-visual and audio-audio channels to verify the commitment data. 
In the audio-visual scheme, a digest of the public key is exchanged by vocalizing 
the sentence and comparing with a display on the other device, while the audio¬ 
audio scheme, compares vocalized sentences on both devices. In a recent work | [79) , 
Light Emitting Diode (LED) blinks and the time gap between those blinks has been 
used to convey the digest on the public key. Also, a combination of an audio-visual 


and an out-of-band channel has been proposed in |74|, that uses beeps (audio) and 


LED blinks (visual) in a combination to convey the commitment data. The proposed 
method is less effective because the public key and the out-of-band information is 
not certified therefore MitM can record the out-of-band information and replay it. 
The approach in | |66] suggested the use of spatial reference authentication such as 
correlating latency with the distance which can be faked by a MitM attacker. In par¬ 
ticular, all identification techniques presented in | |66) are not coupled with the public 
key in a signed form, therefore, allows an MitM attacker to penetrate. 

Sectionj^illustrates the system settings and a detailed description of the proposed 
authentication scheme. Next, in Section]^ we discuss properties of our proposition in 
relation to the security provided by other key establishment protocols and the trans- 
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Sender 


Receiver 

Send Certs-' ceitified cou¬ 
pled public key and attributes. 

Certs 




Verify: Signed Certs- 
Visual binding: locate certified 
attributes. 

Send Certs.: certified cou- 


CertnWkeyr 

pled public key and attributes. 

Verify: Signed Certu and 
key-r- 

Visual binding: locate certified 
attributes. 

Secure session: encrypt mes¬ 
sages with key-r- 


Secure session: decrypt mes¬ 
sage with keyr- 


Fig. 2 The proposed protocol. 


port layer security handshake with certified attributes. Section]^ demonstrate a high 
level security analysis along with a formal correctness sketch using Spi calculus. The 
last Section|5]concludes the discussion. 


2 Out-of-band Sense-able Certified Attributes for Mitigating Man-in-the 
Middle Attacks 


The proposed approach is specifically designed and ready to use for the recently 
customized vehicles with following configurations. 

System Settings. 


Customized standards and hardware for vehicles. The vehicles are assumed to be 
equipped with Electronic Control Units (ECUs), sensors, actuators |451 and the wire¬ 
less transceiver that support the DSRC (Dedicated Short Range Communication) 
standard | [TT|[26t . These ECU’s are interconnected over a shared bus to trigger a col¬ 
laborative decision on some safety critical events. Eurthermore, a wireless gateway 
is installed to connect the in-vehicle network with the external network or device 
for the diagnosis purposes. The in-vehicle network can be divided into the controller 
area network (CAN), local interconnect network (LIN), and media oriented system 
(MOST) | |52) based on the technical configurations and the application requirements. 
These embedded devices enable facilities such as automatic door locking, collision 
warnings, automatic brake system, reporting road conditions, rain and dark detec¬ 
tion and communication with the surrounding road infrastructure. Therefore, vehicles 
must be equipped with the fundamental communication capabilities as per the vehic¬ 
ular communication standards mentioned above. Our protocol would provide a secure 
communication on top of the available and standardized communication schemes in 
these customized vehicles. 


Registration and identity certification. In addition, with the technical configurations 
that a vehicle must be equipped with, a trusted third party is also required periodically 
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World Manufacturer Identifier 

(geographic area, country, plant code) 

Vehicle Descriptor Section 

(model year, brand logo, body style, original color and texture, color repairs, roof racks, foot step, mud flap, front and rear guard) 

Vehicle Indicator Section 

(engine number, engine type, license number, chassis number) 

GPS Device Identification | Wireless Device Fingerprint 

Procedures to Execute for Verifying the Attributes 
Certificate Sequence Number | Ceilificate Expiration Date 

Public Key 
Digital Signature 


Fig. 3 Certificate structure. 


for the successful execution of the proposed approach in this paper. Currently, every 
vehicle is periodically registered with its national or regional transportation author¬ 
ity, which allocates a unique identifier to the vehicle with an expiration date which 
usually is the next required inspection date. In some regions of the United States and 
Europe, registration authorities have made substantial progress toward electronically 
identifying vehicles and machine readable driving license. According to the state of 
the art these registration authorities would assign a public/private key pair to the in¬ 
spected vehicles for a secret information exchange. However, our protocol would be 
secure against the possible attacks even if vehicles are pre-assigned with the certifi¬ 
cates. 

We suggest mitigating MitM attacks by coupling out-of-(the wireless)-band ver¬ 
ifiable attributes (see Figure |^. Vehicles are authenticated using digitally signed 
certificates and out-of-band verifiable attributes. For example, these attributes may 
include visual information that can be verified by input from a camera when there 
exists line-of-sight including the identification of the driving license number, brand, 
color and texture, and even the driver’s face if the owner wants to restrict the drivers 
that may drive the vehicle. Other attributes may be verified by other sensing devices, 
such as a microphone for noise. 

The proposed protocol can be pinpointed as follows: 

- Initially, vehicles must preprocess a uniform cipher suite and a unique certificate 
from a CA. 

- Communication starts with exchanging a digitally signed certificate that is a com¬ 
mitment over the certified attributes and coupled public key. 

- The present protocol utilizes an indirect binding over the commitment data, and 
the shared secret session key. 

- Two rounds of session key negotiation must ensure the authenticity, secrecy of the 
origin, and message contents, respectively (the proposed protocol with improve¬ 
ments against impersonation attacks, see Section]^. 

- Commitment data is assumed to be hashed using a collision free and second 
preimage resistant function. 

- The protocol is interactive, while enabling the mutual authentication, session key 
establishment and subsequent session interaction in a single protocol run. 
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1. Sender S sends the certificate Certs = Attributes + 
Public keys\\SigncA{H{Attributes + Public keys)) to a neighbor 
R. 

2. Receiver R conhrms the certihcate Certs authenticity as described in 
2.(a) and then responds as detailed in 2.(b): 

(a) R verifies the digital signature using the CA public key PKqa and 
verifies Attributes using out-of-band channels. 

(b) R responds with the certificate Cert^ = Attributen -I- 

Public keyii\\SigncA{H{Attributeii + Public keyn)). 

Also appends a random string keyr and certihcate se¬ 
quence number Sequence Numbers encrypted with 

Public keys and SKr, i.e. EpuUic keys {keyr + 

Sequence Number s)\\EpubUckeys{EsKii{H {keyr + 

Sequence Numbers))). 

3. Sender S conhrms the certihcate Certp authenticity as described in 3.(a) 
and then responds as detailed in 3.(b): 

(a) S verihes the digital signature using the CA public key PKca and 
verihes Attributep using out-of-band channels. 

(b) S decrypts the secret session key and certihcate sequence number 
concatenated with the digital signature by using own secret key 
SKs, i.e. DsKs[EpuUickeys{ke.yr + Sequence Numbers)] 
resulting into keyr- Also the digital signature of R is 
verihed using SKs and Public keyp respectively, i.e. 
DsKs{DpubUckeyii{H{keyr + Sequence Numbers))) that results 
into H{keyr + Sequence Numbers). Now the hashing algorithm 
H is applied with keyr + Sequence Numbers and then compared 
with the hashed string H{keyr + Sequence Numbers) produced 
from the digital signature. If both hash strings are similar and the 
symmetric padded zero composition keyr + Sequence Numbers is 
valid, then keyr is accepted as a valid session key. 

4. Sender and receiver exchange encrypted messages using keyr as a shared 
secret key for S and R. 


Fig. 4 Session key establishment in two rounds. 


- The protocol ensures perfect forward secrecy (protocol with improvements for 
FS, see Sectionj^. 

In the proposed protocol, vehicles carry a digitally signed certificate Cert from 
CA (see Figure]^ for a possible structure of such a certihcate. The pseudo-code de¬ 
scription of the secret key establishment procedure appears in Figure|^and notations 
in Table Our protocol does not require any communication with the CA or the road 
side units, while actually authenticating vehicles on the move. The only interaction 
with the CA is during a preprocessing stage, which is mandatory to possess a cer¬ 
tihcate. The certihcate holds a public-key and unchangeable (or rarely changeable) 
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s 

Sender 

R 

Receiver 

Certs 

Certificate of sender 

Certp 

Certificate of receiver 

PKca 

Public key of C A 

SKca 

Secret key of C A 

PKs 

Public key of S 

PKr 

Public key of R 

SKs 

Secret key of S 

SKr 

Secret key of R 

Attributes 

Static attributes of S 

Attribute ji 

Static attributes of R 

Sequence Numbers 

Sequence number of S 

Sequence Numberp 

Sequence number of R 

H 

Hash function 

keyr 

Session key 

II 

String concatenation 

+ 

symmetric bit padding 

EpK 

Encryption with PK 

DpK 

Decryption with PK 

Esk 

Encryption with SK 

Dsk 

Decryption with SK 

V 

Vehicle 

1 

License number 


Table 1 Notations. 


attributes of the vehicle signed by the CA. These out-of-band sense-able vehicular 
attributes should be sensed by other vehicles and checked in real-time. Note that the 
procedure to check these vehicular attributes may be given as part of the certified in¬ 
formation. Our protocol is a viable solution to combat the MitM attacks, as it utilizes 
a separate sense-able out-of-band channel to authenticate the unchanged vehicular at¬ 
tributes. The certificate can be updated and restored on each periodical inspection or 
in the rare case of an attribute change. Therefore, the proposed approach saves time 
and communication overhead in the authentication process. In addition, it avoids the 
frequent CA communication bottleneck and is suitable for the emergency and safety 
critical applications. A detailed description of the solution appears in the next section. 

We assume that the CA established a certificate in the form of Attributes + 
Public keys II SigncA{H{Attributes + Public keys)) for each party. These cer¬ 
tificates are used to establish a (randomly chosen) shared key, keyr- The shared key 
keyr can then be used to communicate encrypted information from the sender to the 
receiver and back. One way to do this is to use the keyr as a seed for producing the 
same pseudo-random sequence by both the sender and the receiver. Then XOR-ing 
the actual sensitive information to be communicated with the bits of the obtained 
pseudo-random sequence. Next, we describe in detail the involved entities and their 
part in the procedure for establishing a session key. 

Certificate Authority. The list of CAs with their public keys PKqa may be sup¬ 
plied as an integral part of the transceiver system of the vehicle, similar to the way 
browsers are equipped with a list of CAs public keys. Only registered vehicles are al¬ 
lowed to communicate on the road. Digital signatures SigncA{H{Attributesender + 
Public key sender)) represent the hash of the public key and attributes encrypted with 
the CA secret key SKca - The digital certificate works as an approval over the public 
key and the out-of-band verifiable attributes of the vehicle. The CA can update or 
renew a certificate, upon a need or when the current certificate expires. 

Vehicular Attrihutes. A vehicle incorporates various sensors to capture useful prim¬ 
itives from the neighborhood. Each vehicle is bound to a set of primitives yielding 
a unique identity to that vehicle. Vehicle identity encloses a tuple comprised of at- 
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tributes such as license number, public key, distinct visual attributes and other out-of- 
band sense-able attributes, extending the basic set of attributes required according to 
ISO 3779 and 3780 standard 1121. The idea behind using out-of-band attributes such 
as vision and position is to simulate the human perception in real world along with the 
digital signatures to confirm the identity. These out-of-band sense-able attributes are 
captured through customized device connections such as camera, microphone, cel¬ 
lular communication and satellite (GPS system). In addition, we suggest identifying 
the wireless communication itself, rather than the contents sent by the wireless com¬ 
munication, this is done by the certified transceiver fingerprints. Thus, the transceiver 
must be removed from the original vehicle and possibly be reinstalled in the attacker’s 
vehicle to launch the attack. Verifying each of the attributes by out-of-band channel 
implies a certain trust level in the identity of the communicating party, which in turn 
implies the possible actions taken based on the received information from the par¬ 
tially or fully authenticated communicating party. Thus, a vehicle can perceive the 
surroundings from driver’s perspective using vision with a sense of texture, acoustic 
signals, and the digital certificate. A combination of these primitives is different for 
every vehicle, i.e., license number, outlook of the vehicle including specific equip¬ 
ment, specific visual marks such as specific color repair marks, manufacturer’s logo 
and/or engine acoustics classification signals. 


3 Key Exchange Protocols with Out-of-Band Sense-ahle Attributes 
Authentication 


Many two-party Authenticated Key Exchange protocols (AKE) |53 56]-^ which 


allow two parties to authenticate each other and to establish a secret key via a public 
communication channel and three-party AKE protocols | [99| have been proposed over 
the past years addressing various adversary models and possible attacks. There exists 
one-round protocol that ensures weak forward secrecy | [5^ that is providing Forward 
Secrecy only when the adversary is not active in the session. These one round proto¬ 
cols are based on a simultaneous interaction between the sender and receiver. In their 
work, they also prove the impossibility of establishing a strong forward security in 
one round. However, one-way protocol with strong secrecy exists in 1 24|37p8) . They 
have assumed that the ephemeral secret keys are exchanged between the peer parties 
while the adversary is not allowed to access the ephemeral secret key. Informally, 
as it is stated in | [53) , AKE protocols should guarantee the following requirements: 
Authentication - each party identifies its peer within the session; Consistency - if 
two honest parties, A and B, establish a common session key K, then A believes 
it communicates with B while B believes it communicates with A; Secrecy - if a 
session is established between two honest peers, then no adversary should learn any 
information about the resultant session key. 

Usually the above requirements are more formally described by detailed scenarios 
that involves resistance to the following attacks: Basic Key Exchange (KE) security is 
defined through the KE experiment in which an adversary that controls a communi¬ 
cation channel should not be able to distinguish the session key established between 
parties from a random value. Forward Secrecy (FS) property guarantees that a session 
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key derived from a set of long-term public and private keys will not be compromised 
if one of the (long-term) private keys is compromised in the future. Therefore, an ad¬ 
versary who corrupted one of the parties (learns the long-term secret key), should not 
be able to learn session keys of past sessions executed by that party. Known Session 
Key Attack resilience provides that an adversary who learns a session key should be 
unable to learn other session keys. 

Additionally, authentication in AKE protocols implies resistance to various misiden- 
tification threats: Unknown Key-Share Attacks resilience prevents an adversary to 
cause the situation whereby a party (say A), after the protocol completion believes 
she shares a key with B, and although this is in fact the case, B mistakenly believes 
the key is shared with a party E (other than A). Key Compromise Impersonation 
(KCI) resilience provides that an adversary who learns a long-term secret key of 
some party (say A) should be unable to share a session key with A by imperson¬ 
ation as the other party to A, although obviously it can impersonate A to any other 
party. Extended Key Compromise Impersonation (E-KCI) resilience. In regular AKE 
protocols, parties use additional random parameters known as ephemeral keys, for 
example, ephemeral Diffie-Hellman keys coined for the purpose of session initializa¬ 
tion. An adversary who learns both a long-term secret key, and an ephemeral key of 
some party (say A), should be unable to share a session key with A by impersonation 
as another party to A. Ephemeral Key Compromise Impersonation (ECI) resilience. 
An adversary who learns only an ephemeral key of some party (say A), should be 
unable to share a session key with A by impersonation as another party to A. 

In this paper, we focus on specific AKE scenarios for securing the communication 
of vehicles via out-of-band sensible attributes. We assume that: 

1. a sender and a recipient use specialized devices for recognizing out-of-band sen¬ 
sible attributes. 

2. these devices can precisely pick the peer vehicle, and can accompany a regular 
(say radio communication) channel. 

3. the out-of-band sensible attributes can identify a vehicle uniquely. 

If the above mentioned assumptions do not hold, then the protocol in Eigurej^can 
be a subject of impersonation repetition attacks and do not fulfill ES feature, as it is 
outlined below. 

Impersonation Repetition attack - version 1. Any adversary A that is within the 
radio range of a sender S with Attributes and a recipient R with Attribute r, that 
once recorded a valid transcript and the certificate of S, can initialize future commu¬ 
nication from S. Although A cannot decipher responses from R, the attack could be 
used to make R thinking that S wants to communicate. Moreover, R can use such an 
initialized session to send some valid but unwanted messages to S (see Eigure|^. 

Impersonation Repetition attack - version 2. An adversary A that once recorded a 
valid transcript between a sender S with Attributes and a recipient R with Attributes 
can simulate future answers (steps 2a, 2b in Eigure for the same recipient R (or 
for any other recipients R' - that has similar attributes Attributes) challenged by S. 
Adversary A simply sends back messages previously recorded in steps 2a, 2b (see 
Eigure [^. Thus, after S finishes protocol in accepting state, it thinks it partnered 
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with the intended R, and starts to decrypt subsequent messages encrypted with the 
established key. Although, in this repetition attack, A does not learn the session key, 
after acquiring the first message from S, the adversary A can send back previously 
recorded answers from R to S, finishing protocol. Subsequently, A can continue with 
sending previously recorded cipher texts encrypted with the previous session key. 
Such cipher texts would be accepted as valid, and decrypted by S. If the protocol 
run is aimed only for the authentication purposes (peers do not want to communicate 
further, which we do not consider here), then the attack itself is a serious threat, e.g.. 



Fig. 6 Repetition attack - version 2. 
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the case where 5 is a police car that monitors the speed of other cars and wants to 
identify the recipient. 

Improvements Against Impersonation Attacks. In the case of the proposed protocol, 
we can simply protect against impersonation attack version 1 in the following way: a 
sender S encrypts an acknowledgment of the second message it receives from R with 
the session key and sends at the beginning of the transmission through the encrypted 
channel. For the protection against the impersonation attack version 2, a sender S 
sends (in the first step) a concatenation Certs\Nonces to R, where Nonces is a 
unique random challenge coined for that session by S. Then the cryptograms an¬ 
swered by R in the second step should include the same Nounces, which subse¬ 
quently should be verified by S. 

Forward Secrecy (FS): This is the protection of past session keys in spite of the 
compromise of long-term secrets. If the attacker somehow learns the long-term secret 
information held by a party (the party is controlled by the attacker, and referred to 
as corrupted), it is required that session keys, produced (and erased from memory) 
before the party corruption happened, will remain secure (i.e. no information on these 
keys should be learned by the attacker). Obviously our protocol does not fulfill FS. 
If the attacker records transcripts and then corrupts the party S (got its private keys), 
then the previous session keys kepr are exposed and transcripts can be deciphered. 
Improvements for FS. We can improve our protocol for FS by setting: Nounces = 
(jf“, responded kepr = g^, for some random ephemeral keys a, and /3. Then the 
session key would be derived from the value 5 “^ and computed independently on 
both sides. 

Obviously one can also utilize some three-round protocols, instead of our two 
rounds protocol, protocols previously discussed in literature, that do not require a 
predefined knowledge of peers identity. The idea of out-of-band sense-able attributes 
can be incorporated into them without undermining their security. The first straight¬ 
forward choice would be ISO KE protocol, described in 0 . and mentioned among 
other protocols in pT| . Figure [^presents the protocol, where Certs, and Certs, are 
certificates proposed in this paper. In the protocol, any vehicle receiving the certificate 
can immediately validate the certificate by means of the CA public key, and out-of- 
band visible attributes. They also validate received signatures and proceed only if the 
validation is correct. The established session key Ks, is derived from g^y. Note that 
this protocol does not support identity hiding, as certificates are transferred in plain 
texts. 

If we consider anonymity where the communicating entities must not be exposed to 
the non-communicating entities then the certificates should not be transferred as plain 


s 


R 





Certji,gy ,SIGR{g'^ ,g^ ,Certs) 



SIGsig'^ ,9^ ,CertR) ^ 



Fig. 7 ISO KE adopted to the proposed certificates. 








Vehicle Authentication via Monolithically Certified Public Key and Attributes 


15 


gy,ENCKjR,SIGR(9^,gy),MACK^(R)) 
ENCk, iS,SIGsi9^ ,9^ ),MACk^ (S)) 


Fig. 8 SIGMA protocol adopted to the proposed certificates 


texts. The SIGMA protocol p3| for identity protection is based on a DH exchange 
authenticated with the digital signatures. A session key Ks, an encryption key Kg 
and a message authentication key are derived from (Ks, K^, and keys 
must be computationally independent from each other), see Figure Here, parties 
decrypt messages by the means of the key Kg., validate certificates by the means of 
CA public key and verify the MACed identity. Each part independently proceeds only 
if both the decryption and validation are correct. However, this allows MitM attacks 
as the CA is not involved during the on-line process of key exchange. Moreover, the 
two parties in communication might not verify the mutual identity as if they commu¬ 
nicate with the actual intended party or some other party holding valid certificate as 
well as identity (may be an adversary or an innocent identity misbinding). Therefore, 
proposed approach provides a coupling between the vehicle’s physical identity and 
the authenticated communication over wireless channel. 

If deniability property (that assures that transcript should not be regarded as a proof 
of interaction) is important, then we propose to adopt one of the protocols ®ED- 
However, in this case we should assume that parties private keys are discrete loga¬ 
rithms of corresponding public keys, and computations are performed in algebraic 
structures where the discrete logarithm problem (DLOG) is hard. Although deniable 
protocols from 140 4^ require four passes of messages, they were designed for ma¬ 
chine readable travel documents - which in turn can be implemented on smart-cards. 
Therefore, we acknowledge that implementing them for vehicular communication 
can also be considered. 

In addition, our protocol can be combined with the well-known existing authen¬ 
tication protocols, e.g., NAXOS |55|, NAXOSh- p9) that is proven to be secure in 
CK p7) and eCK p5) security models. NAXOS assumes that sender and receiver 
have already exchanged the public key/certificate and requires additional two rounds 
for the ephemeral key exchange and session key establishment. However, the pro¬ 
posed protocol provides a certified visual binding in two explicit rounds of certificate 
exchange and does not interfere with the security claims of associated authentication 
protocol. 


Transport Layer Security Handshakes with Certified Attributes. Our proposed 
approach adapts the security construction of the conventional Transport Layer Secu¬ 
rity (TLS) protocol as depicted in Figure]^ Accordingly, TLS mutual authentication 
is based on a certificate exchange between the sender and receiver. Apparently, our 
proposed approach inherits the certificate based security handshake framework from 
TLS protocol, additionally, the ability to verify the certified attributes through an 
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Hello{version, compatibility) 

H ello{v ersion,compatibility) ,Oert PI, Request ^ 


Verify Certji 


Finish q 


Verify Certs 


Session starts 


Fig. 9 Transport Layer Security 


auxiliary communication channel is the key contribution of our protocol. We propose 
a modified certificate structure, that certifies the coupling between visual static at¬ 
tributes and the public key of a vehicle. Therefore, the receiver verifies the integrity 
and authenticity of the certified and coupled public key and static attributes through 
an out-of-band communication channel. In addition, sender and receiver verify this 
coupling before switching on to a wireless communication channel. TLS handshakes 
are based on a pre-defined sequence of phases such as mutual authentication, random 
secret exchange and session key establishment. However, the handshake between 
sender S and receiver R starts by sending the supported range of cryptographic stan¬ 
dards, also called as Hello message. Moreover, the mutual authentication is accom¬ 
plished through the CA signed certificates called a Certificate Exchange message. 

At first, S forwards the certificate Certs to R which then verifies the CA sig¬ 
nature on Certs the out-of-band sense-able fixed attributes of the sender, i.e.. 
Attributes- Similarly, S also verifies the CA signature on Certn and the out-of- 
band sense-able fixed attributes Attributen- During the certificate exchange receiver 
R generates a random string keyr and forwards to S along with the certificate Certn- 
The random string is encrypted with the intended receiver’s certificate sequence num¬ 
ber as Epubiic keys {keyr+Sequence Number s) by using the public key Publickeys 
and the digital signature EpubHc keys VsKr{H {keyr + Sequence Numbers)))- 
This way a MitM attacker can no longer fabricate the combination of session key 
keyr and sequence number Sequence Numbers- S can now decrypt the random 
string keyr with the certificate sequence number Sequence Numbers using SKs 
and also the digital signature by using SKs and Public keyp respectively. Now, S 
and R switch to the symmetric encryption. The recently established session key keyr 
is used on both sides to encrypt and decrypt the message. 


4 Security Analysis and Correctness Sketch 

In this Section we illustrate the arguments for the safety assurance implied by our 
protocol. The proposed protocol is resistant to MitM attack. The CA public key is 
conveyed to vehicles in secure settings. CA receives the request for the certificate 
deliverance and only the intended recipient will get the certificate Cert from CA. An 
attempt to manipulate the certificate Certs contents, in order to replace the attributes 
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Protocols 

Direct 

iteration 

cost 

Online 

authority 

interaction 

Out-of-band 

verification 

Coupling vehicle with 
communication 

Proposed 

2 rounds 

No 

Yes 

Yes 

ISO-KE 

3 rounds 

Yes 

No 

No 

SIGMA 

3 rounds 

No 

No 

No 


Table 2 Comparison with existing AKE protocols. 


to fit the attacker vehicle attributes or the public key, will be detected as the digital 
signature Signc a{H{A ttributes + Publickeys)) yields an impossibility to modify 
a certihcate or to produce a totally new one. Receiver R decrypts the digital signature 
using the CA pubic key PKca and confirms the validity. Thus, any verifiable certifi¬ 
cate has been originated by the CA and therefore the attributes coupled with a certain 
public key would uniquely characterize the vehicle. 

After the mutual authentication is done through a signed public key verification, 
coupled with the fixed sense-able attributes, a session key has to be established. A 
random string keyr is generated at the receiver R and is sent along with the cer¬ 
tificate Certji, in response to sender’s request for certihcate Certn. As the keyr 
can be replaced by a MitM, S needs to authenticate the origin of keyr- Moreover, 
an attacker can manipulate the random string in between hence it requires an in¬ 
tegrity verihcation mechanism. First, R encrypts the keyr and Sequence Numbers 
using S public key Public keys, i-e- Epublic keys {keyr + Sequence Numbers) 
so that only S can decrypt the random string using corresponding secret key SKs- 
Thus, the conhdentiality is ensured as only intended receiver can decrypt the keyr 
as Dsks [Epubiic keys {keyr + Sequence Numbers)]- In order to verify the digital 
signature over keyr, a hashing algorithm H is used to produce a hashed key string 
H {keyr + Sequence Numbers). A digital signature EpubUc key s{EsKr{EI {keyr + 
Sequence Numbers))) is attached with EpubUc key s {keyr + Sequence Numbers). 
Thus, integrity is maintained as only R can generate these signature. Similarly, only S 
can retrieve the H{keyr + Sequence Numbers) from the signature using secret key 
SKs and Public keyp as D sks{E Public key ^{El {keyr + Sequence Numbers))). 
Next, the H{keyr + Sequence Numbers) from digital signature is compared with 
the hashed key string generated locally. If both hashed key strings are similar, then 
the keyr is accepted as a session key. Note that the signed, encrypted keyr 
Sequence Number cannot be used as part of a replay attack, however, such us¬ 
age will be detected by the sender and the receiver, as the actual value of keyr, is not 
revealed to the attacker. The use of synchronized date-time and signed association of 
the date-time can avoid even such unsuccessful attack attempts. 

As per the Table [^the proposed approach is comparable to the existing AKE pro¬ 
tocols such as ISO-KE GD and SIGMA | |53| mentioned above in Sectionj^ Accord¬ 
ingly, the first criteria of comparison is the iteration cost that determines the com¬ 
munication complexity. The proposed approach requires only two rounds of commu¬ 
nication, i.e., sender-to-receiver and receiver-to-sender as part of authenticated key 
exchange. Furthermore, the next column indicate whether an online interaction is 
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n 

C 

u, V, w, X, y, z, t, I 

S, R,A 
c(A^).S 
c(x).S 
key'^ 
key~ 
S\R 
(vn)S 
[MisN]S 
S-R 
Inst{M) 

Table 3 Notations used in Spi calculus 


Name 

Communication channel 

Variable 

Processes 

Output process 

Input process 

Public key 

Private key 

Composition 

Restriction with bound n 

Match 

Testing equivalence 
Instance of interaction 


needed as online interaction is too restrictive and costly. Therefore, we design our 
scheme to eliminate the need of an active assistance from trusted third party for au¬ 
thentication. In contrast with other AKE protocols our proposed approach incorpo¬ 
rates an out-of-band verification to cross-verify the vehicle authentication over wire¬ 
less channel. In addition, by the use of out-of-band our scheme enables a coupling 
between the vehicle’s certified identity and the authenticated key exchange over the 
wireless channel. 

Correctness. We next outline the widely known method of formal verification, i.e., 
Spi calculus which is an inherent derivative of Pi calculus. However, Spi calculus is 
adapted to security primitives and adversary model and provides an axiomatic proof 
of security m- The Spi calculus inherits certain powerful constructs from its an¬ 
cestor Pi calculus and new cryptographic primitives have been added such as nonce, 
unique key, encryption, decryption, signing, and adversary process, etc. Secrecy, in¬ 
tegrity and authentication are well motivated properties for the application of Spi 
calculus. In addition, it is powerful in terms of testing equivalence, scope construct, 
assertion, predicates, adversary model and channel restriction that enables a synchro¬ 
nized communication among processes. 

• Observational equivalence: Accordingly, a formal ideal protocol description is nor¬ 
malized and combined with an adversary in terms of an independent process such that 
both formalizations of the ideal protocol leads to similar observational equivalences. 
It is useful for authentication as well as a secrecy property verification. For example, 

B means that behaviour of the process A and B is indistinguishable and a third 
entity cannot identify the difference from running in parallel with any one of them. 
These testing equivalences are reflexive, transitive and symmetric. 

• Trace analysis: Apparently, trace-based reasoning is verified against valid commu¬ 
nication sequences through message input and output. A protocol is considered secure 
if every trace resembles the ideal protocol phase, i.e. ideal sequence of communica¬ 
tion. Spi calculus provides much deeper level of complexity and therefore freedom 
to achieve security goals in the presence of more complex adversary process. 
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In what follows we would illustrate a formal realization of the proposed protocol 
using Spi calculus (see Tablej^for notations). Processes S, R, A denote the communi¬ 
cating parties Sender, Receiver and Attacker, respectively. The rounds of message M 
exchange between the sender and receiver called as one instance of the protocol and 
is denoted by Inst{M). Processes start exchanging the certificates in the following 
order. 

First, in instance Inst{Certs), sender S sends the certificate Certs to R, on chan¬ 
nel csR and R receives the certificate on the same channel. 

S{Cert) = c^{Certs) 

S{Cert) = csr{ Attributes + Public keys\ \ SigrL[{H{Attributes + Public keys)}](s^- ) 

P = cs r{x) .case X of y 
let{yi,y2) = y in 
case y2 of [{z}]^^+ in F(yi) 

Inst{Cert) ^ {vKcA){S{Cert)\R) 

Next, instance Inst{Cert\\keyr) executes in sequence, while receiver R forwards 
certificate CertR and session key keyr to S. 


R{Cert\\keyr) — CRs{CertR)\{{[keyr Sequence Numbers]}g+ 

\\{[[{H{keyr. + Sequence Numbers)}]^-]}s+) 

R{Cert\\ keyr) — c^r^ {Attribute r + Public keyR \ \ Sign[{H {Attribute r + Public ) 

I {{[keyr + Sequence Numbers]}s+ 11 
{[[{H{keyr + Sequence Aumber^)}]^-) 


S = CRs{x){u).case X of w 
let{'Wi,W2) — w 
in case W2 of in F{wi) 

.caseu of t 
let{ti ,^ 2 ) — t 

in case t2 of }]r+ -^(* 1 ) 

Inst{Cert\\keyr) — {vKs){vKR){R{Cert\\{keyr + Sequence Numbers))\S) 


We analyze the authenticity and secrecy properties in Claim 4.1 and 4.2, respec¬ 
tively. 

Claim 4.1 The proposed session key establishment protocol respects the authenticity 
property i.e. F{ys) a local function computation at R, is accepted, if indeed it arrived 
from S. 

Proof According to the property of authenticity, the receiver is able to verify that the 
certificate is indeed, from the sender, that the certificate claims to come from. Here, 
we prove the authenticity of the certificate Certs and the sender S, before the local 
function computation F{Certs) at R. 

First instance of the certificate exchange, while certificate moves from sender to 
receiver is as follows: 


Inst{Cert) ^ {vKcA){S{Cert)\R) 
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In order to satisfy, the property of authenticity, following statements hold true for 
the first instance; 

- The recipient can verify, that the certificate Certs, indeed originated at the CA. 
Because the receiver holds the CA public key i.e. CA~^, and is able to verify 
the CA signature over the hashed certificate contents, provided that the condition 
below holds true; 

[{casey2of [{z}]cA+) = Vi] 

Thus, after the step 2(a) in Figure receiver R knows that the digitally signed 
certificate Certs holds valid contents regarding the sender S. Subsequently, the 
receiver authenticates the certificate Certs- 

- The certificate Certs, is attributed to the actual sender S, if and only if F{yi) 
qualifies the out-of-band verification. Because, the receiver extracts the authenti¬ 
cated certified attributes of the sender vehicle S. Then it verifies the fixed out-of- 
band channel attributes and confirms, that the authenticated attributes still hold 
true. 

- The receiver R, derives the coupled public key from Certs, and knows that it 
indeed belongs to the certified attribute holder, if the condition below is satisfied; 

[{caseS+{y2)of[{z}]cA+) = (<5'+(yi))] 

For the second instance, receiver replies back with the certificate Certu concate¬ 
nated with the hashed and signed session key {keyr + Sequence Numbers). 

Inst(Cert\\keyr) ^ {vKs){vKji)(R(Cert\\{key-r + Sequence Numbers))\S) 

Second instance holds true on the following properties, while analyzing the prop¬ 
erty of authenticity. 

- The sender S can verify, that the certificate Certn, indeed originated at the CA, 
if the condition below holds true; 

[{case W2 of [{v}]cA+) = wi] 

Because the sender S holds the CA public key, i.e., CA^, and is able to verify 
the CA signature over the hashed certificate contents. Thus, after the step 3(a) 
in Figure sender S knows that the digitally signed certificate Certn holds 
valid contents regarding the receiver R. Consequently, the sender authenticates 
the certificate Cert a- 

- The certificate Certu, is attributed to R, if and only if, F{wi) qualifies the out- 
of-band verification. Because the sender extracts the authenticated certified at¬ 
tributes of the receiver vehicle R. It then verifies the fixed out-of-band channel 
attributes and confirms that the authenticated attributes still hold true. 

- The sender S, derives the coupled public key from Certn, and knows that it 
indeed belongs to the certified attribute holder R, if the condition below holds 
true; 


[{caseR+{w2)of[{v}]cA+) = {R'^{wi))] 
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- The binding between the session key keyr and the certificate Certji holds true. 
It requires that [(case t 2 o/[{{[/]}s-}]/j+) = ti], provided that the condition 
[{case W2 of [{r'}]cA+) = w;i] is also verified. Because, it is confirmed that 
the signature over hashed session key, utilizes the secret key R~, and can only be 
generated by R. 

The following claim proves the second property, secrecy perseverance of the pro¬ 
posed protocol. 


Claim 4.2 The proposed session key establishment protocol respects the secrecy prop¬ 
erty. Any instance of certificate exchange does not reveal the secret session key and 
subsequently, any instance of the session key encrypted message exchange does not 
reveal the message contents. 

Proof. According to the secrecy property, an attacker cannot distinguish the different 
messages encrypted with the same or different session key, for the same or different 
pair of vehicles/processes. The message must be revealed to the intended recipient 
only. First we prove the secrecy property for the session key exchange between the 
sender and receiver, and then for the message exchange within the shared key session. 

In the first instance, the sender exchanges the certificate; we do not assume a secret 
certificate exchange. In the second instance, we need the secrecy regarding the session 
key exchange, in order to ensure the secrecy of session key encrypted messages in the 
current session. 

- The session key exchange in the second instance is a secret, between the receiver 
R and sender S, as the [{case t 2 of [{^}]s-) — {case t '2 of [{?'}]s-)]. Only the 
sender knows the secret key S~ and is able to verify the signature. 

- The hashed and signed sequence number Sequence Numbers, ensures that it 
was indeed sent to S and the condition below must hold true; 

[{caset 2 of [{{[1]}s-}]r+) = h] 

Only, the secret key S'” holder, i.e., S can decrypt and verify the signature over 
the session key and sequence number, see step 3(b) in Figure]^ 

After the secure session key exchange as stated above, current session messages 
are encrypted with the secret session key. The current session key is a shared secret 
between the sender S and receiver R, only. It is also important to mention that the 
local function computation F{ti) at S is inherently secure, and does not reveal the 
deciphered message contents local to S. Hence, we can say that the session key is 
securely exchanged with S followed by the secure F{ti) computation at S. Thus, 
future messages of the current session, are secretly shared between the two, as they 
are encrypted using a unique shared secret key. 
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5 Conclusion and Future Work 

The proposed work provides Man-in-the-Middle (MitM) attack resistance and mu¬ 
tual authentication using certified public key and out-of-band sense-able attributes. 
As the Certificate Authority (CA) preprocesses every vehicle’s public key and the 
unchangeable visual attributes, there is no way that MitM can fake the public key 
or the unchangeable attributes. Also, the out-of-band attributes are sense-able and 
can be confirmed while moving on the road. There is no need to communicate with 
the CA during the real-time session key establishment of a secret key for the mutual 
authentication of vehicles. The proposed protocol is simple, efficient and ready to 
be employed in current and future vehicular networks. More sophisticated scheme 
that specifically requires additional communication hardware, which is not currently 
available in vehicles, may also verify dynamic attributes in case the adversary is able 
to clone the vehicle with license number | [T4[ . 
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